Starting 19 March, the strike team launched a sinkholing operation that disabled the botnet, by taking out the servers running the attacks..

Within just five days of starting the takedown procedure, Kaspersky Lab neutralised more than 109,000 infected hosts, compared with just 40,000 infected hosts in the first Hlux/Kelihos botnet.

In January 2012 Kaspersky Lab experts released new research that revealed that despite the original botnet being neutralised and under control, a second Hlux/Kelihos botnet was operating in the wild.

Although the second botnet was new, the malware had been built using the same coding as the original Hlux/Kelihos botnet. This malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft.

Like the first version, the second botnet used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets.

To neutralise the flexible P2P botnet, the group of security experts created a global network of distributed machines that were installed into the botnet’s infrastructure. The sinkhole-network quickly increased its “popularity” in the network, which allowed more infected computers to be brought under Kaspersky Lab’s control, while preventing the malicious bot-operators from accessing them.

As more infected machines were neutralised, the P2P architecture caused the botnet’s infrastructure to “sink” as its strength weakened with each computer it lost control of.

With the majority of botnets connected to the sinkhole, Kaspersky Lab’s experts can conduct data mining to track the number of infections and their geographical locations. To date, they have counted 109,000 infected IP addresses. The majority of infected IP addresses were located in Poland.

In September 2011, Kaspersky Lab worked with Microsoft’s Digital Crimes Unit, SurfNet and Kyrus Tech to disable the original Hlux/Kelihos botnet. At that time Kaspersky Lab executed a sinkhole operation, which disabled the botnet and its backup infrastructure from the C&C.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy